Reputation: 7059
Block access of a PHP page if visitor doesn't come from a certain page (on same domain)
As title says, I'd like to block visitors from viewing content of a page if they don't come from a specific URL. How can I achieve this? I have PHP over Nginx. Would it be better to use PHP or Nginx?
I read that using HTTP_REFERER is not the best idea because it's not mandatory for the browsers... what would you do (code examples)?
Upvotes: 0
Views: 2155
Answers (5)
Reputation: 417
A simple way would be to set a one-time session variable on the first page, and read that variable on the second page.
For example, page 1:
$_SESSION['viewed_page1'] = true;
Page 2:
if(!$_SESSION['viewed_page1']){
echo 'You need to visit page 1 first!';
}
.
Upvotes: 1
Reputation: 19672
The most bullet-proof solution is to pass a _GET parameter that is not trivial to guess from one page to the next, a-la unique tokens.
It, however, takes a hell of a lot of effort to implement correctly, as it's not the simplest solution, and by far not the simplest to implement either.
In order of complexity, with the simplest at the top, your alternatives are:
- Referer
- Using a fixed GET parameter
- Cookie placed on the user on the first page. Doesn't work for visitors not accepting cookies, and you'll need a cookie policy if you work in the EU.
- Using nonces as GET parameters
The last solution in detail
your initial page generates a one-off string, and appends it to every link. You then check if this string is matched with an entry in a database/flat file, and if so, allow access. If not, you deny access. You then invalidate the token so users have to go through the page again.
Upvotes: 3
Reputation: 1918
you can use a session variable and pass a particular 'key' from one page, and require it on the following page in order to display it.
you can find info on sessions here
Upvotes: 0
Reputation: 1990
Probably not perfect, but I would set a $_SESSION on the initial page and then check and remove it on the linked page.
$_SESSION['allow'] = 'yes';
then on the next page
if(isset($_SESSION['allow']) && $_SESSION['allow'] == 'yes') {
$_SESSION['allow'] = 'now viewing';
}
Or something like that....
Upvotes: 3
Reputation: 92334
The only way to restrict access to pages is by using someone's credentials, there's no reliable way to detect where the user came from since that can be spoofed.
Therefore there is no way to allow access to a page B only if the user just came from page A (unless you do it unreliably through HTTP_REFERER
You could also set a cookie (or session variable) on page A and not display page B unless the user had the cookie (session variable) set, but that would not require that the user be going straight from page A to page B
Upvotes: 1
Related Questions
- preventing direct access to a php page, only access if redirected
- Nginx: allow access only to referrer that match location name
- Checking a dynamic referer URL in PHP to prevent access to a page
- PHP Allow access to specific referrer url/page only
- How to block users from directly accessing a page, but not HTTP requests in PHP?
- Php - Is it possible to block access to a webpage depending on the address used?
- Preventing Indirect access to website in PHP
- Restricting access if not coming from certain referer(s) PHP
- Disable direct access to php page but allow the access if reached from specific page
- How to redirect if not from $_SERVER['HTTP_REFERER']?